4 Answers
4

Full disclosure: I am one of the authors and the current maintainer of the eCryptfs userspace utilities.

Great question!

Linux has a maximum filename length of 255 characters for most filesystems (including EXT4), and a maximum path of 4096 characters.

eCryptfs is a layered filesystem. It stacks on top of another filesystem such as EXT4, which is actually used to write data to the disk. eCryptfs always encrypts file contents, but it can optionally encrypt (obscure) filenames (or not).

If filenames are not encrypted, then you can safely write filenames of up to 255 characters and encrypt their contents, as the filenames written to the lower filesystem will simply match. While an attacker would not be able to read the contents of index.html or budget.xls, they would know what file names exist. That may (or may not) leak sensitive information depending on your use case.

If filenames are encrypted, things get a little more complicated. eCryptfs prepends a bit of data on the front of the encrypted filename, such that it can identify encrypted filenames definitively. Also, the encryption itself involves "padding" the filename.

For instance, I have an encrypted file, ~/.bashrc. This filename is encrypted using my key to:

Clearly, that 7 character filename now requires more than 7 characters to be encrypted. Empirically, we have found that character filenames longer than 143 characters start requiring >255 characters to encrypt. So we (as eCryptfs upstream developers) typically recommend you limit your filenames to ~140 characters.

Now, all that said, the Synology NAS is a commercial product that embeds and uses eCryptfs and Linux to encrypt and secure data on the device. We (the upstream developers of eCryptfs) have nothing to do with Synology or their products, though we're generally happy to see eCryptfs used in the wild. It seems to me that their recommendation of 45 characters is either a typographical error (from our 140 character recommendation), or simply a far more conservative estimate.

This thread is very interesting because I was wondering the exact same thing. I can live with having to rename 20 files out of 50 000 if the filenames need to be 140 characters or less, but 45 or less isn't feasible (in my situation) because it would require me to rename too many files.

I asked the exact same question directly to Synology (even pointing them to the present article), and their answer was interesting: "The encrypted share's file name limit is 143 bytes. It can be up to 140 pure Latin character or 45 CJK(Chinese, Japanese, and Korean) characters."

Following this answer I did more testing myself, testing with files that were 45, 46, 140, 143 and 144 characters. My tests show that files up to 143 characters (not bytes, contrary to what Synology told me) will be encrypted, but files with 144 characters will PREVENT a folder to be encrypted. However, the ERROR MESSAGE that I get from my NAS is that the filename needs to be less than 45 characters (whereas the reality is that it should be less than 144 characters).

I did not do tests with CJK characters... But, to anyone reading this, it seems that you are fine until 143 characters, despite what the system tells you.

I also asked more questions to Synology, and I'll be posting the results once I get an answer. Here they are:
- What about folder name length restrictions. Is there a maximum folder length for its name?

What about path length restrictions. Is there a maximum path length restriction? Which is it (for example, I could have four nested folders that each have a name that is 40 characters, the total path would have a length of slightly more than 160 characters...

What about nested path restrictions. Is there a maximum number of nested path that are supported? What is it?

The filename length of ecrypt was only an issue for me in that I needed a particular subtree of my home directory to support long filenames, and eventually I realised I could simply create a filesystem inside a file and mount that:

I would like to clarify, that linux has a 255 bytes limit per filename, not 255 characters. This is a significant difference and if you use e.g. UTF-8 encoding, you may end up with filenames of 100 characters max.